An attack on my smart-toaster is an attack on all of us!

Can the recent DDoS attack in the US help Australia learn to be a smarter cyber nation?

On Friday 21 October, while most of us in Australia were sleeping, socialising or browsing on our smart phones at the end of the working week, the US was waking up to a huge Distributed Denial of Service (DDoS) attack on a company called Dyn, generating headlines around the world.

The hackers who carried out the DDoS attack used our own everyday devices to attack and bring down the servers of this DNS company. This mattered a lot because the US-based Dyn acts like a phonebook for the internet, making sure that the web addresses that you type into your browser actually direct you to the sites you want to find. Dyn went down, and suddenly people couldn’t find the sites that they support, including Twitter, the Guardian, Netflix, Reddit, CNN and many others in Europe and the US.

It’s since been confirmed that this was the largest attack of its kind in history, and there were definitely some new elements that hadn’t been seen before. Because of the size and the means of this attack, a lot of the coverage has had a slightly frantic tone. If 2016 has been the year where humans have really started to worry about losing their jobs to robots, then, according to the media, this attack was the moment when the idea of our appliances turning on us – think your smart fridge attacking you while you sleep – became several steps closer to reality!

Setting aside the fact that I am slightly unnerved by that image, I do also want to take the opportunity to look at what happened with a cool head. If we can overcome the initial waves of panic generated by incidents like these, they are actually really good opportunities for Australian individuals, organisations and governments to learn from. We want to be a prosperous and successful country with an economy built on the foundations of a secure cyber environment, so we should take every opportunity to build our resilience in the face of events like this.

What is a DDoS attack?

A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. In this instance, hackers directed a massive volume of online traffic to the servers of Dyn.

Will Dyn being compromised have any long term implications for me?

There probably are Australian customers of Dyn who may have been impacted by the outage, but the most relevant fact for Australians about the targeting of this company is not who they are, but what they do and, most importantly, where they sit in the supporting infrastructure of the internet. Dyn would not have been seen as a frontline target for hackers, and yet its central role caused big disruption.

It’s unlikely that most organisations would have had the foresight to consider the importance of their DNS provider in ensuring the security of their operations. This incident is a reminder that our ecosystem of suppliers, partners and infrastructure companies is becoming increasingly complex. So when we think about giving ourselves a good cyber foundation, this means firstly looking broadly at who can impact the availability of our online services. Secondly, it means really understanding that, with so much beyond our scope and control, preventing cyberattacks is not always going to be possible. If we understand this, we understand that the most important things to build in our organisations are not only walls and protections, but also resilience to attacks and appropriate responses to ensure we can continue to operate.

What has the Internet of Things (IoT) got to do with this? Should I be worried about my webcam?

The Internet of Things is basically any object in your house or in your life that is connected to the internet, or can transmit information about itself to other machines; e.g. your home printer automatically ordering ink from the supplier when it gets low, or my air conditioning system that I can control with an app. The point of making more and more objects internet enabled is simply to increase convenience levels for us. As customers, our demand for convenience is increasing and so is the amount of internet enabled ‘things’ in line with this.

We have known for a while that internet enabled devices are particularly vulnerable to hackers. They are usually mass produced and with cheap component parts, meaning they are rarely well protected and it’s often hard to access them to keep their software up to date or to increase their security. And for a long time nobody has been too bothered about this. After all, even if someone did hack into your internet enabled kettle, what could they do? Last week’s attack shows us that the security of our devices may not be important for the device itself, but it is important if these devices can be used as a stepping stone to compromise things we actually care about – like the internet. In this attack, for the first time, hackers accessed tens of millions of devices infected with a relatively simple virus – the Mirai botnet – and used them to attack the servers of Dyn. Meanwhile, the vast majority of us would have no idea that our devices were or could be infected with this virus, not to mention were being used for no-good purposes, to essentially turn against us!

What does this mean for us in Australia?

Firstly, how this attack happened is a reminder of how connected we all are – locally, nationally, globally. If targeted in a certain way, relatively low-key players, like Dyn, and relatively minor component parts, like your web cams, can have huge consequences. Therefore we all personally, as well as professionally, have a part to play in keeping our part of the internet safe and secure. We have successfully improved our internet safety culture quite a lot in recent years to ensure elements like our home Wi-Fi are protected and secure. We now need to accept, culturally, the need to extend that protection to all smart devices in our lives.

It also reminds us that this connectivity can work in good ways as well as bad. We have an opportunity now to come together with government, as a responsible cyber secure nation, and take action to legislate to ensure all devices with internet connectivity should have minimum security standards.

It reminds us that cyber resilience will always go beyond the walls of our own organisations. Strong partnerships are the only way we can make sure that our neighbours, or partners and suppliers, our competitors even, are all playing their part to build resilience. It also shows, given the breadth of this attack, that a lot of the time cyber breaches are not personal – you don’t need to have enemies to be targeted. The attack was not to a particular end; hackers often carry out these attacks simply because they can.

Ultimately, our lesson from this incident is that more convenience for us goes hand in hand with taking responsibility for securing the resources that enable that convenience. Having a strong, safe internet is essential for Australia and anyone who does business here or with us. And protecting and growing this internet isn’t someone else’s job. Nobody owns the internet and so everybody does, therefore we all play a small part in protecting the whole.

Matthew is a partner of Risk and the national lead partner for Technology Governance related services. This includes ERP Application Integrity, IT Controls Transformation, IT Governance, IT Risk Management and Risk Management Technologies, including the selection and implementation of GRC solutio...